-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-03:06.openssl                                    Security Advisory
                                                          The FreeBSD Project

Topic:          OpenSSL timing-based SSL/TLS attack

Category:       crypto
Module:         openssl
Announced:      2003-03-21
Credits:        Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
Affects:        All FreeBSD versions prior to 4.6-RELEASE-p12,
                4.7-RELEASE-p9, 5.0-RELEASE-p6
Corrected:      2003-03-20 21:07:20 UTC (RELENG_4)
                2003-03-21 16:12:34 UTC (RELENG_4_7)
                2003-03-21 16:12:03 UTC (RELENG_4_6)
                2003-03-21 16:13:06 UTC (RELENG_5_0)
FreeBSD only:   NO

I.  Background

FreeBSD includes software from the OpenSSL Project.  The OpenSSL
Project is a collaborative effort to develop a robust, commercial-
grade, full-featured, and Open Source toolkit implementing the Secure
Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

II.  Problem Description

This advisory addresses two separate flaws recently fixed in OpenSSL:
 (1) an RSA timing attack, and (2) the Klima-Pokorny-Rosa attack.

- - - From the OpenSSL Project advisories (see references):

(1) Researchers have discovered a timing attack on RSA keys, to which
    OpenSSL is generally vulnerable, unless RSA blinding has been
    turned on.

(2) Czech cryptologists Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa
    have come up with an extension of the "Bleichenbacher attack" on
    RSA with PKCS #1 v1.5 padding as used in SSL 3.0 and TLS 1.0.
    Their attack requires the attacker to open millions of SSL/TLS
    connections to the server under attack; the server's behaviour
    when faced with specially made-up RSA ciphertexts can reveal
    information that in effect allows the attacker to perform a single
    RSA private key operation on a ciphertext of its choice using the
    server's RSA key.  Note that the server's RSA key is not
    compromised in this attack.

III.  Impact

RSA timing attack:
  An RSA private key may be compromised.

Klima-Pokorny-Rosa attack:
  A vulnerable server, when faced with specially made-up RSA
  ciphertexts, can reveal information that in effect allows the
  attacker to perform a single RSA private key operation on a
  ciphertext of its choice using the server's RSA key.  Note that the
  server's RSA key is not compromised in this attack.

IV.  Workaround

RSA timing attack:
  Disable the use of RSA or enable RSA blinding in OpenSSL using the
  RSA_blinding_on() function.  The method of adjusting the list of
  acceptable ciphersuites varies from application to application.  See
  the application's documentation for details.

Klima-Pokorny-Rosa attack:
  Disable the use of ciphersuites which use PKCS #1 v1.5 padding in SSL
  or TLS.  The method of adjusting the list of acceptable ciphersuites
  varies from application to application.  See the application's
  documentation for details.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_4_7
(4.7-RELEASE-p9), RELENG_4_6 (4.6-RELEASE-p12), or RELENG_5_0
(5.0-RELEASE-p6) security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.6, 4.7,
and 5.0 systems which have already been patched for the issues resolved
in FreeBSD-SA-03:02.openssl.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:06/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html >.

Note that any statically linked applications that are not part of the
base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled.

All affected applications must be restarted for them to use the
corrected library.  Though not required, rebooting may be the easiest
way to accomplish this.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Patch
- -------------------------------------------------------------------------
RELENG_4
  src/crypto/openssl/crypto/rsa/rsa_eay.c                         1.2.4.6
  src/crypto/openssl/crypto/rsa/rsa_lib.c                         1.2.2.7
  src/crypto/openssl/ssl/s3_srvr.c                            1.1.1.1.2.7
RELENG_4_6
  src/UPDATING                                             1.73.2.68.2.39
  src/crypto/openssl/crypto/rsa/rsa_eay.c                     1.2.4.2.6.3
  src/crypto/openssl/crypto/rsa/rsa_lib.c                     1.2.2.3.6.2
  src/crypto/openssl/ssl/s3_srvr.c                        1.1.1.1.2.3.6.3
  src/sys/conf/newvers.sh                                  1.44.2.23.2.29
RELENG_4_7
  src/UPDATING                                             1.73.2.74.2.11
  src/crypto/openssl/crypto/rsa/rsa_eay.c                     1.2.4.3.2.2
  src/crypto/openssl/crypto/rsa/rsa_lib.c                     1.2.2.4.2.1
  src/crypto/openssl/ssl/s3_srvr.c                        1.1.1.1.2.5.2.1
  src/sys/conf/newvers.sh                                  1.44.2.26.2.11
RELENG_5_0
  src/UPDATING                                                 1.229.2.11
  src/crypto/openssl/crypto/rsa/rsa_eay.c                         1.8.2.2
  src/crypto/openssl/crypto/rsa/rsa_lib.c                         1.6.2.2
  src/crypto/openssl/ssl/s3_srvr.c                            1.1.1.9.2.2
  src/sys/conf/newvers.sh                                         1.6.2.2
- -------------------------------------------------------------------------

VII. References

<URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0131 >
<URL: http://eprint.iacr.org/2003/052/ >
<URL: http://www.openssl.org/news/secadv_20030317.txt >
<URL: http://www.openssl.org/news/secadv_20030319.txt >
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (FreeBSD)
Comment: FreeBSD: The Power To Serve

iD8DBQE+e3s9FdaIBMps37IRAufUAKCTht2X617uI3AB8G/RnRLNvmuFUwCffDNW
wMVBJ2SE2dSq6JcNdCFT9jA=
=PBbA
-----END PGP SIGNATURE-----
